Posted
by
timothy
on Thursday September 26, 2013 @12:34PM
from the brew-more dept.

New submitter ddyer writes "Java 1.7.0_40 [Note: released earlier this month] introduces a new 'red text' warning when running unsigned Java applets. 'Running unsigned applications like this will be blocked in a future release...' Or, for self-signed applets,'Running applications by UNKNOWN publishers will be blocked in a future release...' I think I see the point — this will give the powers that be the capability to shut off any malware java applet that is discovered by revoking its certificate. The unfortunate cost of this is that any casual use of Java is going to be killed. It currently costs a minimum of $100/year and a lot of hoop-jumping to maintain a trusted certificate.'"

Java? Casual? That's like saying the US Tax code is good bed-time reading.After realizing I was spending half my frickin' life compiling, reloading, and waiting... waiting... (I'm looking at _you_ Tomcat) I switched to Python and never looked back.

I really don't think that there is a casual use of Java applets anymore. Banks and large corporations use it, but when was the last time you ran someone's java app that wasn't your own or a major corporation's? Large players can pay $100 a year for their app without thinking about it. Personal projects you trust and can push continue on. You shouldn't be running java apps from random other sources if you value security.

Java applets are an essential tool for science education -- as simulators [colorado.edu], calculators [hws.edu] etc. Are all these research groups supposed to get some authority to digitally sign their applets?

Fundametally, a major aspect of Java security is that, since it runs on a VM, an applet it is inherently encapsulated. Yes, VM bugs can cause problems, but the value of all the free educational applets online far exceeds any possibly security benefits of unptached VM bugs.

Except, you know, the whole being able to produce one package that reliably runs across any platform the VM does. PIP is not a replacement for a.JAR file, nor is it even a convenient alternative.

I mean I know what you're trying to do, "I'll shout out an OSS language and make some sweeping generalization about it taking over in some field...education maybe, yeah, that's a good one... Then the karma will just start rolling in." That's about as much thought as you've given the problem, which is probably why in any serious workplace you're still going to find Java being used, for better or worse. People like yourself haven't come up with a valid alternative -- worse still you mindlessly promote whatever platform you prefer, without any thought as to the logistics of entirely replacing every program you had written in one language with another entirely.

OSS proponents need to climb down off their soapboxes and do some actual coding for a change. We get it, the open alternative is the better one. If you want us to use an open alternative to Java, make one better than Java, make one that does what Java already does, then improves on it in some way. Matz did it with Perl and Ruby, now Ruby is practically a household name in the OSS community...what's stopping you? Lack of talent, perhaps?

It's much easier to blather out lines like "stop using Java and switch to Python programs that do the same thing," but as you already are obviously unaware, it isn't possible to wave one's hand and turn a Java program into a Python one overnight, not even a small one. Let alone something that's been running for a decade and has MILLIONS of lines of code to be replaced. The fact that you were modded as high as you were for this nonsense only serves to illustrate just how much of a ridiculous circlejerk this site has become.

Can't you make your own CA cert, shove that into the JRE/JVM keystore, and chug along "for free"? Or did you decide that it was worth $100/year to not deal with having to automate running keytool on all your desktops?

Java as an idea was great....write a program that compiles once and the binary can run on anything.

<rant>Java as an implementation has failed miserably for just the reason mentioned by the parent. I have encountered too many apps that won't run unless a specific version of the VM is available.

Then there is Tomcat, evil software container...I have lost too many hours of my life trying to keep that beast happy....just today I got an email from a colleague who wants to restart tomcat weekly because something is causing it to leak file descriptors. More than 1024 files open at the same time...I could probably figure it out, but that would again be more hours lost to java.</rant>

But it wouldn't be argued by anyone who actually knew what they were talking about.

For one thing, signing a Java applet proves exactly nothing about how trustworthy it is. You can easily get a signing certificate by spending a small amount of money and waiting a small amount of time. The whole concept of granting increased permissions to untrusted software just because it's been signed is absurd.

Secondly, blocking unsigned applets will break numerous existing web-enabled devices, which has been one of the significant remaining use cases for applets in recent years. These are effectively running embedded web servers and serving up the applets from there, so you can't just go in and upgrade them later when your certificate expires (and the longest cert periods you can get from major CAs are only about 2-3 years, a fraction of the normal lifetime of some of these devices).

The craziest thing is that the kinds of device I'm thinking of are typically used by the IT guys in large organisations. Some of them are going to go through months of approval process before they get installed, and when they do it will be in server rooms or data centres, accessed electronically via a separate management network with no connection to the outside world, and accessed physically via biometric security that would make James Bond cry. But in order to keep those applets safe, now they need to be signed too, just in case? Seriously?

Not everyone using applets accesses them from a public web site. They can't necessarily upgrade or replace them on a whim. The kinds of environments still using them are more likely to be exactly the kind of long-running projects where whipping up a quick replacement in JavaScript isn't a sensible option and where backward compatibility really matters.

Also, to anyone who thinks alternative technologies like JavaScript and HTML5 canvas/SVG offer the same flexibility and speed as Java applets, I know a prince in Nigeria who'd like to sell you a classic car from his collection for a great price.

No, as a C# developer myself, I can truthfully state the the GP is not a troll and that your "go learn something new" scenario is as rare is hens' teeth.

Nobody actually uses that stuff in production because of Microsoft's poor track record for supporting those types of new features. Instead, I'm writing:1) Console applications for data manipulation2) WinMo applications for handheld stuff3) Webforms stuff (and a few new MVC4 bits and pieces) for web portals4) Web services (yes, "legacy" WSDL/UDDI stuff) and a little bit of WCF for web data feeds5) Winforms applications for whatever desktop apps are left over

No WPF, no WinPhone, and certainly nothing for the "metro" or "modern" or "xbox-pissed-in-my-corn-flakes" UI, whatever it's called this week.

I have yet to find a dire need for WPF or anything related to it, and I have yet to even see a WinPhone in the wild or a metro app that wasn't bundled with Windows 8. And other stuff like LINQ and Entity Data Model stuff have their own problems, mostly in their attempts to be smarter than the developer. Spoiler: it's not, and when it tries, it stops being useful.

I was being a bit tongue-in-cheek (apparently that's viewed as more trolling than humorous here, but whatev).

I've been a developer, and I've been management... Most developers get paid as well as their immediate management, and very often better than the sales department. I actually left being a developer/manager to go back to being a developer. Pay raise, better work. Right now my day-to-day is PHP, Java, and C#, depending on the project.

ANY technology is prone to being obsolete before it reaches its full potential. If you jump on the bandwagon just because it's being released by company/group XYZ, you're crazy. Microsoft releases frameworks that don't last. Google kills apps. Blackberry does stupid stuff... It's all variations on a theme.

For every two or three poorly concieved things MS publishes, there is one that is actually really quite good and deserves attention. While C# and Java were once very similar, C# continued to grow as Java stagnated. Now Java's back in the game, but it's owned by Oracle, which scares the #$#( out of me. All that said, Visual Studio is still the best IDE out there.